[security-dev] PLINK-84 - Login can be bypassed with any user after a first successful login

Shane Bryzak sbryzak at redhat.com
Tue Jan 29 17:03:53 EST 2013


Is picketlink-core being used for authentication?  The default Identity 
implementation should already protect against this kind of thing:

             if (isLoggedIn())
             {
                 if (isAuthenticationRequestWithDifferentUserId())
                 {
                     throw new UnexpectedCredentialException("active 
user: " + this.user.getId() +
                             " provided credentials: " + 
this.loginCredential.getUserId());
                 }

                 beanManager.fireEvent(new AlreadyLoggedInEvent());
                 return AuthenticationResult.SUCCESS;
             }

On 30/01/13 06:58, Anil Saldhana wrote:
>   From what I understand from JIRA comments, the use case boils down to
> use of additional credentials after a successful authentication.
>
> I am thinking maybe the authentication process should register the type
> of credential last used and if subsequent login() calls happen on the
> identity, then a change of credential (via the credential.setCredential)
> should trigger an authentication process.
>
> Unless the credential type has changed, I am unsure why we need to
> perform another authentication when the user has already authenticated
> and the session is active.
>
> Thoughts/feedback?
>
> On 01/29/2013 08:28 AM, Bruno Oliveira wrote:
>> Good morning everybody, I'm not sure if this jira was filled correctly https://issues.jboss.org/browse/PLINK-84
>>
>> Let me know.
>>
>>
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev



More information about the security-dev mailing list